1 Chapter 3 Controls and Safeguards Solutions in this chapter: Data Security Program Security Controls Technical Safeguards Access Control Activity Logging and Monitoring Software Assurance Change Management Disaster Recovery/Business Continuity Planning Training and Awareness Auditing Summary 47
2 48 Chapter 3 Controls and Safeguards Data Security Program An organization s data security program will enable the management and control of identified data security risks. It can significantly influence reputational, operational, legal, and strategic risks by limiting the organization s vulnerability to data compromise and maintaining third-party confidence and trust. The data security program includes data classification and the associated risk assessment, an information security strategy to mitigate the risks, the implementation of controls to protect the data, monitoring and testing of the controls to verify that they are appropriate, effective, and performing as intended, and a process to continuously gather and analyze new threats and vulnerabilities in order to update the risk assessment, strategy, and controls. The successful implementation of a data security program will depend on several factors, including: Security policies, procedures, and controls based on business objectives. A security approach consistent with organizational culture. Visible management support and commitment. A thorough understanding of security requirements based on a risk management approach. Implementation and testing of controls. Appropriate policy and standards distribution, training, and education. Security Controls Information security controls are the technical, process, physical, and policy safeguards designed to protect sensitive data by mitigating the identified and assessed risks to its confidentiality, integrity, and availability. The selection and specification of controls is accomplished as part of an organizationwide risk management and information security program and is typically dependent on risk mitigation objectives balanced by implementation cost. Management Responsibility Senior management has the responsibility to ensure integration of security controls throughout the organization by ensuring the security program is governed by
3 Controls and Safeguards Chapter 3 49 organizational policies and practices that are consistently applied, enforcing compliance with the security program across the organization, and ensuring an effective information security awareness program has been implemented. In order to delineate clear lines of responsibility and accountability for information security risk management decisions, management should designate one or more individuals as information security officers, who will be responsible and accountable for administration of the security program. To ensure appropriate segregation of duties, the information security officers should report directly to the board or to senior management and have sufficient independence to perform their assigned tasks. While information security officers may ultimately be responsible for the management of the security program and the implementation of appropriate safeguards, a system of internal control is not a separate and distinct system within an organization, but the embodiment of all the plans and devices that assure reasonable control over risks and operations. Accordingly, the responsibility for good internal controls rests with the management of the individual business units and not with any external unit. The same managers who are responsible for day-to-day operations and decision making are also responsible for ensuring the presence and effectiveness of internal controls. Defense in Depth Since it is practically impossible to eliminate all vulnerabilities in the organizational infrastructure, security should integrate and coordinate the capabilities of people, operations, and technology to establish multiple security countermeasures to protect the confidentiality and integrity of information assets. This multilayered defense strategy, called defense in depth (DiD), is an Information Assurance construct in which multiple related actions and controls are applied to minimize failures and compromises and their propagation. Defense in Depth involves a multipronged and tiered approach in defense mechanisms. It is designed on the principle that multiple layers of different types of protection presenting unique obstacles will increase the likelihood of being able to identify and prevent an attack from occurring. Each protection layer has unique characteristics, presenting successive obstacles for an intruder to overcome. This will not only reduce the risk of security breaches, but allow an organization time to detect and respond to an attack, therefore reducing and mitigating the breach s impact.
4 50 Chapter 3 Controls and Safeguards Achieving Information Assurance through DiD requires a focus on three primary elements: People This includes senior level management attention, assignment of specific roles and responsibilities, commitment of resources, training of critical personnel, and personal accountability. Technology Multiple and layered technological defenses outside, at, and within the perimeter, including encryption, firewalls, intrusion detection, transmission and remote access controls, and antivirus and patch management. Operations The activities required to sustain an organization s security posture on a day-to-day basis, including security policies, risk assessments, security and vulnerability reviews, process controls, and incident response planning. Control Identification The challenge for organizations is to determine the appropriate set of security controls, which if implemented and determined to be effective in their application, would comply with the stated security requirements by mitigating the impact or likelihood of each identified threat. For each security category, a variety of controls are necessary for a comprehensive and robust security framework. The following considerations should be addressed during control selection and implementation: What are the necessary controls to adequately protect organizational information? Have the selected security controls been implemented or is there a realistic plan for their implementation? What is the required level of assurance that the selected controls are effective as implemented? The major factor that will influence the selection of safeguards and controls is a risk-based cost/benefit analysis. Other factors include ease of use, transparency to users, compatibility with existing controls, and integration with overall security management tools. Control identification is accomplished most effectively as an organizationwide exercise, which considers the protection requirements for the various classes of
5 Controls and Safeguards Chapter 3 51 information. This is especially relevant since many controls may depend on other controls and processes for proper functioning. Control identification and implementation is performed generally by a specialized team under the direction of the Information Security Office. However data owners are ultimately responsible for the proper functioning of security controls affecting their data. Types of Controls Controls can be categorized by what they are and what they do. The following three broad categories define the main objectives of effective security implementation: Physical Controls Security measures, devices, and means to control physical access to a defined structure. Technical Controls Technology-based measures to control logical access to sensitive information. Administrative or Process Controls Policies, procedures, and processes to define and guide user actions and restrictions in dealing with sensitive information. Within these major categories, controls can be defined by what they do, including: Preventive Preventive controls act to limit the likelihood of a threat by preventing intentional or unintentional unauthorized disclosure of sensitive information. Detective Detective controls detect and report actual or attempted unauthorized events by helping identify harmful actions as they occur. Corrective Corrective controls respond to security incidents and terminate harmful events or reduce their damage. Baseline Approach A baseline approach to control implementation requires the establishment of a minimum set of information safeguards against the most common threats. An appropriate and justifiable baseline can be developed based on industry practice or public standards, and existing safeguards can be compared with the baseline. A gap analysis will identify applicable controls that need to be implemented.
6 52 Chapter 3 Controls and Safeguards The benefit of the baseline approach is a simplified risk assessment. However there are several risks in using this approach, including: The baseline does not identify all the organization s assets or accurately reflect its environment. Nonstandard threats or vulnerabilities are missed by the baseline. The gap analysis does not accurately reflect the variation between existing and required controls. The baseline is used as a simple checklist and acts as a substitute for all risk management. The baseline may be excessive for the security risk exposure as a whole or as related to a particular control. As a result, a baseline should not be adopted without ensuring that it is appropriate to the organization s risk profile and circumstances. However, it can be useful in identifying information security strengths and weaknesses, since the result of a security baseline analysis can enable the organization to evaluate its information security posture and identify areas for improvement. Constraints Several constraints may arise during control implementation and may need to be resolved on a control-by-control basis. These include: Time The acceptable implementation time period based on asset sensitivity, criticality, vulnerability, and risk exposure criteria. Financial Because of conflicting demands on financial resources, a proposed control may be partially implemented and management is prepared to accept the residual risk until additional funds become available. Technical Technical and compatibility constraints can hinder the effective implementation of controls to an existing systems or data. Cultural Individual resistance to particular controls may render them ineffective, especially if staff feels that the control hinders their work and as a result develop workarounds. Legal Legal and contractual factors may mandate or bar the selection and implementation of a particular control.
7 Controls and Safeguards Chapter 3 53 Skills and Training Some controls may not operate correctly if people with the necessary skills, competencies, and training are not available. Laptops Lost or stolen laptops represent a significant source of data compromise and are the most frequently reported information security incidents. Any sensitive data stored on a lost or stolen laptop and potentially compromised will most likely have a much greater value than the replacement cost of the actual laptop. As a general rule, sensitive data should not be stored on laptops or any devices that can leave a secure environment. If there is a legitimate business need to store such data on a laptop, access or downloads should be logged at the source so that there is a record of what information was copied, to where, when, and by whom. The security requirements implemented on laptops that may potentially store sensitive information should be comparable to network-based security. These include: Full-disk encryption to prevent unauthorized parties from retrieving the data or from extracting domain-based credentials and user account profiles that allow access to organizational network resources. Encryption passwords should adhere to complexity standards to minimize cracking risk. The organization should consider implementing systemic disk encryption solutions that do not rely on employees discretion as to what data to encrypt. Any technology that can restrict usage of the laptop to a designated individual. Remote tracking and data reset features that once activated will ensure that files are not readable or recoverable. Frequent connection to the corporate network to receive the latest software patches, antivirus files, and firewall patterns. A prohibition on altering system software or hardware configuration unless specifically instructed to do so by IT Services. A prohibition on loading additional application software onto the laptop unless specifically approved by IT Services. Scheduled backups of all important information on the laptop. Implementation and adherence to a policy describing the risks of laptop loss as well as the responsibility of the user.
8 54 Chapter 3 Controls and Safeguards An implemented policy for specifically authorizing certain laptops to process sensitive information. Procedures for appropriate physical securing, proper and inconspicuous packing during transportation, and general alertness to minimize risk of theft and loss. Sufficient attention should be given to property management. This includes conducting periodic inventories of accountable property, ensuring that departing employees return all property that had been issued to them, and adequately documenting the destruction of outdated, damaged, or excessed laptops, including sanitization of all sensitive information prior to disposal. Portable Storage Devices Portable storage devices such as flash drives present particular challenges because their small size increases the possibility of physical loss with the attendant data loss. Additionally, the size combined with the ease of use can allow malicious insiders to inconspicuously copy large amounts of data. Particular care should be paid to these devices since they can also impact data and network security through the intentional or unintentional bypass of perimeter defenses such as firewalls and antivirus software and introduce viruses and malware into the network. The organization should outline in its acceptable use policy guidelines on using portable storage devices by specifying the parameters within which they can be used. Sensitive data should not be stored on a portable storage device unless the appropriate procedure is implemented and followed for obtaining management authorization for the placement of sensitive data on the device. This can be enforced through automated means that can detect when such a device is connected to an organizational resource. If the use of these devices is allowed by the organization, data owners will have the primary responsibility authorizing the use and storage of sensitive data on them. Controls will include: Provisions for training to increase awareness of the need for security in this area. Limiting access to authorized devices or users. Blocking communication with specific information resources.
9 Disabling file- and print-sharing functions. Controls and Safeguards Chapter 3 55 As in the case of laptops, encryption to protect any sensitive data on the device. Passwords that conform to the requirements and guidelines of organizational password policies. A prohibition on transferring sensitive data to another device not in compliance with the policy. Inventory and audit trail of the sensitive data used by specific individuals on specific portable devices. Ensuring that there is a backup of data within a secured storage environment. Labeling all portable devices for individual identification, such as an asset or property tag or banner containing appropriate contact information and instructions on how to return the portable device. Ensuring that any loss, theft, or unauthorized access is reported promptly and appropriately. Transportable Media Numerous business processes may require the transfer of information via transportable media such as backup tapes. The organization should evaluate all transfers of physical media containing sensitive information to discontinue unnecessary or redundant transfers either through the elimination of the transfer or through migration to network-based transmission. This determination can be made by considering the potential risk represented by the transfer, the size of the transfer, the related business process, any infrastructure limitations, legal, regulatory, or counterparty constraints, and associated costs. If the organization determines that these transfers cannot be terminated or transmitted in-network and that physical transfers are necessary, the following controls should be implemented: Sensitive data in transport should be encrypted using approved encryption algorithms where feasible. An exact copy of the data should be maintained in case of loss or damage.
10 56 Chapter 3 Controls and Safeguards A complete record of transport should be maintained including contents, origin and destination, time shipped and received, who handled it during transport, and condition upon arrival. A Risk Acceptance should be filed when the transfer is noncompliant or encryption is not possible due to regulatory issues or other reasons. A primary compensating control for the transfer of unencrypted physical media containing sensitive information is the use of an approved secure courier service. The media must be properly packaged in a tamper-evident container and all transfer pickups and deliveries should be logged and documented, including volume serial number, tracking number, pickup or delivery time and date, as well as the name and contact information of the individual who transported the package(s). Under certain circumstances, and where deemed appropriate and prudent, a staff member may transport unencrypted media containing sensitive information. The media must be properly packaged, the staff member must maintain physical control over the media at all times, and must obtain written acknowledgement of receipt from the recipient. Now we ll discuss internal and external controls for securing communications. Internal Controls Any electronic communications containing sensitive information should be encrypted any time it is sent outside the organization. In addition, particularly sensitive communications should be encrypted at all times, even when sent internally. Staff members should be aware of the secure encryption requirements, have an approved encryption solution installed on their desktops, and be aware of how and when to use it. In certain instances, automated and policy-driven encryption can be used to protect the confidentiality and integrity of sensitive data when in transit without the sender s intervention. More generally, an acceptable use policy should be implemented to clearly describe applicable restrictions on the transmission of sensitive information via . Since it relies on open ports, a particular risk of is that it allows malicious outsiders to circumvent perimeter defenses such as firewalls through the architecture. -born viruses and malware can compromise sensitive data with the added risk of spreading to partners, vendors, and competitors.
11 Controls and Safeguards Chapter security solutions can be installed at the network boundary or at the mail server layer to filter mail based on preconfigured or configurable standards. These include content filtering for inbound mail, traffic monitoring, and reporting. Additionally, solutions can be deployed to monitor outbound to detect information patterns and restrict the transmission of sensitive information from users not specifically authorized to transmit it. External Controls and Internet-related fraudulent schemes present a substantial risk to the reputation and customers of any organization that is impersonated. Current and potential customers may mistakenly perceive that weak information security resulted in security breaches that allowed access to confidential information. In addition, customers who fall prey to fraudulent schemes face a real and immediate risk from malicious parties who will normally act quickly to gain unauthorized access and commit identity theft. If warranted, an organization should consider enhancing security programs to address possible fraudulent schemes. This may include periodic notification to alert customers of known -related fraudulent schemes and to remind them to report any such requests, monitoring accounts individually or in aggregate for unusual activity, and in general avoiding sending any s that request confidential information. Technical Safeguards In this section, we ll discuss various technical safeguards for securing systems within an organization s environment. Firewalls A firewall is a system, device, or collection of components configured to manage and regulate data flow between networks of different trust levels by permitting, denying, or proxying data. Although firewalls usually are placed between an internal network and an external untrusted network such as the Internet, they can also be used to create different subnets of the organizational network. Typically, firewalls block or allow traffic based on static or dynamic rules. Static rules are preconfigured, while dynamic rules can be the result of automated coordination between the firewall and an intrusion detection system. For a higher security environment, a possible firewall implementation is a DMZ, which is a neutral accessible zone separated by a firewall between it and the
12 58 Chapter 3 Controls and Safeguards organization s private network and another firewall between it and any external access point or network. By putting all publicly accessible services on the DMZ, which constitutes a separate logical security domain, and allowing external parties to initiate connections to services on the DMZ only, the organization can ensure that its data and systems are not directly accessible from any external source. A firewall policy will establish the organization s expectations for how the firewall should function and stems from an ongoing security risk assessment process. It establishes a formal process for approving and testing all external network connections, as well as rules for incoming and outgoing traffic, continuing management, and changes to the firewall configuration. These rules will cover: Firewall types, topology, and architecture. Functional requirements, including access controls, baseline configurations, rules and filters, services, content restrictions, and security and authentication details. List of services and ports necessary for business. Permissible traffic, including protocols, data, and applications permitted. Management and maintenance, including configuration auditing and testing. Traffic monitoring. Justification and documentation for any risky protocols allowed, including reason for use of protocol and security features implemented. Procedures for addressing requests to bypass firewall security for specific protocols or services required for business purposes. A review of firewall logs can alert administrators to changes to firewall policy, addition or promotion of administrative accounts, and network activity, including permitted and denied connections. Intrusion Detection and Prevention Systems Intrusion detection and prevention systems (IDS) are access control mechanisms that allow or disallow access based on a data traffic analysis. They monitor the events occurring in a system or network, analyze them for signs of possible incidents involving unauthorized access or actual or imminent threats of policy violation, log and report incident activity, and attempt to stop the intrusion or mitigate the effects of
13 Controls and Safeguards Chapter 3 59 the detected issue. This is done either directly or by reconfiguring a firewall or making other changes to the security environment. The organization should ensure that: Intrusion detection systems are placed at any location where traffic from external entities is allowed to enter controlled or private networks Host-based intrusion detection is placed on all sensitive systems even if they do not allow external access. Administrators regularly analyze logs. Intrusion detection signatures are frequently updated. IDS logs can record activities such as access to privileged accounts, unusual outbound connectivity, as well as administrative access to the IDS system. Penetration Testing and Vulnerability Scanning Penetration testing is used to evaluate the security of a system, network, or database by simulating an attack by a malicious user. It can help determine potential vulnerabilities that may result from improper configuration, technical flaws, or operational and process weaknesses. Once security issues are uncovered, their impact is assessed and a remediation plan is developed. The test plan should detail the scope and procedure of the test in the context of assessed threats to organizational data. Depending on the test objective, resulting action may include: A detailed technical report on data and system vulnerabilities. The outcome of the test in business risk terms. Short-term and tactical recommendations. Long-term and strategic recommendations. A data security improvement action plan. The frequency of testing should be determined on the basis of risk analysis and when significant changes are implemented. Unlike the more manual approach of a penetration test, vulnerability scanning uses automated host or network-based tools to help assess security weaknesses and risks. The tools can be run on a scheduled or ad-hoc basis and will generate a report identifying each discovered vulnerability and potential risk.
14 60 Chapter 3 Controls and Safeguards Data Transmission Sensitive data transmission, whether through FTP, system to system, or web form submission, should be performed only over a trusted path or medium with controls to provide confidentiality, integrity, and authenticity of content. All connections from an internal system or database to other systems outside the accreditation boundary should be authorized only through the use of system connection agreements, and the connection should be monitored and controlled on an ongoing basis. Strong cryptography and security protocols should be used to safeguard the data during transmission over open, public networks. The transfer of personal information from external parties to the organization, usually through a web site, should be accomplished via secure servers using high-level encryption. The risks from wireless networks should be evaluated carefully and appropriate controls implemented. Default network names and administrator passwords should be changed before activating the network. Address filtering can specify which physical computer addresses can connect to the network. Wireless network transmitting sensitive data should be security enabled and transmissions should be encrypted using protected access. Additionally, strong authentication and configuration controls should be implemented at the access point and on all clients, and unauthorized access points and clients should be monitored. Remote Access Remote access is any access to an organizational information resource by a user or system communicating through an external, nonorganization-controlled network or connection. The organization may deem it necessary to provide remote access to data and systems for remote workers or to support operations at remote locations. In some cases, remote access is required periodically by vendors to make regular or emergency system support. Because of the increased risks associated with access from outside the trusted perimeter, the organization should implement policies and processes governing the conditions under which remote access is granted and terminated. Remote access should be granted based on authorized business needs, limited to the minimum privileges needed, and require management approval, with all approvals periodically reviewed and justified. Any system remotely logging into an organizational network should have adequate antivirus and firewall protections, have all the mandated security and
15 Controls and Safeguards Chapter 3 61 configurations settings, and be properly patched. As a general practice, only devices that have been configured by organization or vendor devices that meet these requirements should be authorized to connect to the internal network. All communications between remote users and organizational networks should be through a virtual private network (VPN), which can provide a secure communications channel across a public network. Appropriate VPN security includes: Encryption of all transmitted data. Multifactor authentication requiring factors beyond general usernames and passwords to gain access. Strong password and account policies. Automatic session time-out after a certain period of inactivity and disconnection after a certain number of incorrect logon attempts. Logging and analysis of remote communications. In cases where a vendor may require remote access to a system or data for maintenance or diagnostic purposes, the vendor must implement a level of security at least as high as that implemented on the data or system being serviced, unless the component being accessed is removed from the overall system and sanitized with regard to sensitive information and also tested for potentially malicious or erroneous updates before being reconnected to the system. External System Connections The organization may need to provide access to and from external information systems that are outside the accreditation boundary and for which there is no direct assurance over the application of security controls or the assessment of their effectiveness. In such circumstances, the organization should verify the employment of necessary security controls on the external system or have approved connection or processing agreements with the entity hosting the external system. Interconnection security agreements are established between the organizations that own and operate the connected systems to specify the connection requirements and describe the security controls that will be used to protect the systems and data. These controls will be adhered to by both parties and will be based on risk and data sensitivity. Additional considerations for interconnected systems include an effective change management process to coordinate planned system changes that could affect the
16 62 Chapter 3 Controls and Safeguards interconnection and prompt notification by both sides of security incidents and system disruptions in order to facilitate a coordinated response. Antivirus and Patches All servers and workstations should be configured with antivirus software, which should be automatically updated from the vendor s site at least daily. In addition to persistent protection, the antivirus software should perform a complete system scan on a scheduled basis. Individual workstations should not be able to disable local antivirus software or updates. The organization should implement procedures for handling virus infections that cannot be automatically cleaned. Such procedures can include isolating the affected device, manually attempting to remove the virus, or complete reinstallation or reconfiguration. Centralized configuration files and identical group policies should be used to configure all workstations to an appropriately high level of security. In addition to decreasing the risk of a virus infection, this practice will also simplify general support. Since viruses and intruders can exploit existing operating system vulnerabilities, it is important to configure all operating software to automatically receive the latest upgrades and patches. In addition, a system should be in place to scan all devices for missing patches and automatically initiates patch remediation without administrator involvement. Isolation and Minimization By restricting host systems to enterprise applications and operating system components, and isolating individual services to separate hosts, a potential compromise can be limited to the individual system or service and the impact on other critical services would be limited. As part of a defense-in-depth protection strategy, the organization considers partitioning sensitive data or systems into separate domains or environments. Any connections should occur through managed interfaces consisting of appropriate boundary protection devices arranged in an effective architecture. More generally, communities of services, systems, data, and users that operate in different security roles or zones should be isolated in separate but interconnected groups, with monitoring and controls at the external boundary and at key internal boundaries. In the system configuration context, the principle of minimization essentially states that all software, services, protocols, or other functionality that is not required by
17 Controls and Safeguards Chapter 3 63 the system or not necessary to perform a particular function should either be disabled or not installed to eliminate the possibility of compromise. In addition to increased security, this best practice can also improve performance and simplify administration. Access Control Access to data should be controlled through a process that ensures that user access rights reflect defined and documented business needs and job requirements. All users must be uniquely identifiable, job requirements should be attached to user identities, access privileges for each system and data group should be identified, and access rights must be in line with defined and documented business needs and should reflect the concepts of least privilege and segregation of duties. Access Provisioning Organizations should have an effective process for identifying new users and recording, approving, and administering access rights. New access requests will be submitted by user management to the data or system owner for approval and processing. In certain cases, the assignment of rights may be established by the employee s role or group membership, and managed by preestablished authorizations for that group. Vendors or contractors may be granted access based on their relationship with the organization. The data owner will review and evaluate the request based on job function, data sensitivity, least privilege, and segregation of duties. Once approved, access will be configured by the data custodians or system administrators, who should not also be end users of the system in question. The provisioning process should include an efficient mechanism for notifying the granting authority when a user s status or role changes. This, along with system changes, will prompt a review and update of access rights. In addition, upon user leave or termination, access control privileges should be revoked in a timely manner. In addition to normal operations, the assignment of authentication and authorization credentials should include business continuity planning responsibilities. Authentication Authentication is the verification of identity by a system or database based on the presentation of unique credentials to that system. Authentication contributes to the
18 64 Chapter 3 Controls and Safeguards confidentiality of data and the accountability of actions performed on systems by verifying the unique identity of a user. Passwords are a primary method used to control access to resources and are the most common authentication mechanism. Other mechanisms include token mechanisms and biometrics. Authentication that relies on more than one credential is called multifactor authentication and is generally stronger than any single-factor methods. To determine the need for this approach, the organization should perform a risk assessment of the particular access need. If the risk assessment indicates that the use of single-factor authentication may be inadequate, it should implement multifactor authentication, layered security, or other controls reasonably calculated to mitigate risk. At a minimum, any access to sensitive organizational assets should require a unique account with an associated password. Passwords assigned to user accounts that access sensitive data should adhere to certain password management best practices, including: Adhering to complexity requirements such as minimum length, avoidance of common words or terms, avoidance of personal or factual information, and inclusion of various types of characters. Changing the initial administrator-issued password on new accounts before first use. Aging implementation, which requires password changes at set intervals commensurate with the risk level of the account. Avoiding use of the same account and password for multiple applications or purposes. Avoiding sharing, writing down, or electronic storage of passwords. Prohibiting password reuse for a specified number of generations. Ability for an administrator to change or reset a user password at any time. Clear guidance for handling lost and compromised passwords. Accounts should be automatically logged off after a predetermined period of inactivity and locked out due to extended lack of use. They should also be locked out due to repeated unsuccessful logon attempts. These automatic lockouts are usually temporary and automatically released after a predetermined time period. To increase security against unauthorized logon attempts, the authentication error feedback
19 Controls and Safeguards Chapter 3 65 should not specify the particular component in error, but rather return a general error message. Any password system must balance the password strength with the user s ability to remember and maintain a stronger password and more secure password. When the balancing produces a password that is not sufficiently strong, a different authentication mechanism should be considered. All account, password, and other user authentication information should be protected from unauthorized access or modification. An end user account should not provide access to components other than the application front-end in order to prevent the bypassing security and sign-on controls. Conversely, administrative accounts should not be used to perform end user functions. All files containing passwords or other authenticators must be encrypted and the passwords must not be transmitted in clear text. Entitlement Reviews An entitlement review is a periodic assessment of actual entitlement privileges and permissions to systems and data to ensure that access to particular information assets is proper and limited to the needs of the assigned role or job function as dictated by the user s manager. It allows the determination of which users have access to which systems and information, and whether that access complies with the organization s security policies. The review should examine the levels of access each individual has, conformity with the concept of least privilege, whether all accounts are still active, and whether management authorizations are current. Entitlement reviews should be performed on a scheduled basis, with the review frequency determined by the information risk assessment. In addition, an entitlement review should be performed whenever there is a change in user status, including transfer or reassignment to another business unit, change of job responsibilities within the same business unit, leave of absence or disability leave, conversion from nonemployee to employee, and employment termination. For particularly sensitive databases or resources, the review process should be automated to report changes in permissions to the appropriate manager. Each business unit should implement a documented process to review and verify user entitlements on a scheduled basis. An individual or group who does not perform the actual reviews should be assigned to oversee the entitlement review process. This individual or group, usually from security or compliance, will have the following responsibilities:
20 66 Chapter 3 Controls and Safeguards Ensuring that business managers do not review their own access. Confirming that transferred and terminated employee entitlements were appropriately changed or revoked. Ensuring accurate and appropriate entitlements. Escalating overdue reviews and exceptions. Coordinating any process improvements based on issues that arise during the entitlement review process. Privileged Accounts Privileged accounts are functional IDs used for system administration and operation. These accounts have very few security restrictions, so they can allow a user to make unauthorized changes or to gain access to sensitive data, whether inadvertently or by design. In addition, as they are usually associated with a group or role and not directly attributable to an individual, there can be limited, if any, accountability. Since privileged accounts are critical to operating system and application availability, and are sometimes the only IDs allowed to perform certain functions, it is usually not possible to disable or delete them. It is therefore important to manage the risks associated with them by defining their appropriate use, ownership, and control. Account Ownership Each privileged account should be assigned to an owner who will be able to assign the account to an administrator but who will remain responsible for all activities performed with the account. For a system processing sensitive data, the owner will be the data or application owner, who will be able to assign the account to the administrator or DBA supporting the application or database. Upon an account owner s termination or transfer, the account should be transferred to a new owner, who will perform an entitlement review to ensure that all accounts are assigned properly. Account Assignment and Usage An account owner can authorize the use of a privileged account by a staff member based on: Justification The reason access is required. Risk Profile The system criticality multiplied by the account access level.